CVE-2023-29458 - Vulnerability Details - OpenCVE

Duktape is an 3rd-party embeddable JavaScript engine, with a focus on portability and compact footprint. When adding too many values in valstack JavaScript will crash. This issue occurs due to bug in Duktape 2.6 which is an 3rd-party solution that we use.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00084.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Zabbix	Zabbix

Configuration 1 [-]

OR	cpe:2.3:a:zabbix:zabbix:5.0.34:::::::*
	cpe:2.3:a:zabbix:zabbix:6.0.17:::::::*
	cpe:2.3:a:zabbix:zabbix:6.4.2:::::::*

No data.

No data.

Advisories

Source	ID	Title
Debian DLA	DLA-3909-1	zabbix security update
EUVD	EUVD-2023-33027	Duktape is an 3rd-party embeddable JavaScript engine, with a focus on portability and compact footprint. When adding too many values in valstack JavaScript will crash. This issue occurs due to bug in Duktape 2.6 which is an 3rd-party solution that we use.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://lists.debian.org/debian-lts-announce/2024/10/msg00000.html
https://support.zabbix.com/browse/ZBX-22989

History

Mon, 03 Nov 2025 22:30:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2024/10/msg00000.html

Tue, 22 Oct 2024 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Zabbix

Published: 2023-07-13T09:33:46.403Z

Updated: 2025-11-03T21:47:55.154Z

Reserved: 2023-04-06T18:04:44.892Z

Link: CVE-2023-29458

Vulnrichment

Updated: 2025-11-03T21:47:55.154Z

NVD

Status : Modified

Published: 2023-07-13T10:15:09.573

Modified: 2025-11-03T22:16:07.523

Link: CVE-2023-29458

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2023-29458", "assignerOrgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8", "state": "PUBLISHED", "assignerShortName": "Zabbix", "dateReserved": "2023-04-06T18:04:44.892Z", "datePublished": "2023-07-13T09:33:46.403Z", "dateUpdated": "2025-11-03T21:47:55.154Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "modules": ["Proxy", "Server"], "product": "Zabbix", "repo": "https://git.zabbix.com/", "vendor": "Zabbix", "versions": [{"changes": [{"at": "5.0.35rc1", "status": "unaffected"}], "lessThanOrEqual": "5.0.34", "status": "affected", "version": "5,0,0", "versionType": "git"}, {"changes": [{"at": "6.0.18rc1", "status": "unaffected"}], "lessThanOrEqual": "6.0.17", "status": "affected", "version": "6,0,0", "versionType": "git"}, {"changes": [{"at": "6.4.3rc1", "status": "unaffected"}], "lessThanOrEqual": "6.4.2", "status": "affected", "version": "6.4.0", "versionType": "git"}, {"changes": [{"at": "7.0.0alpha1", "status": "unaffected"}], "lessThanOrEqual": "7.0.0alpha1 ", "status": "affected", "version": "7.0.0alpha1", "versionType": "git"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "nepalihacker0x01"}], "datePublic": "2023-06-16T11:16:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Duktape is an 3rd-party embeddable JavaScript engine, with a focus on portability and compact footprint. When adding too many values in valstack JavaScript will crash. This issue occurs due to bug in Duktape 2.6 which is an 3rd-party solution that we use."}], "value": "Duktape is an 3rd-party embeddable JavaScript engine, with a focus on portability and compact footprint. When adding too many values in valstack JavaScript will crash. This issue occurs due to bug in Duktape 2.6 which is an 3rd-party solution that we use."}], "impacts": [{"capecId": "CAPEC-125", "descriptions": [{"lang": "en", "value": "CAPEC-125 Flooding"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-129", "description": "CWE-129 Improper Validation of Array Index", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8", "shortName": "Zabbix", "dateUpdated": "2023-07-13T09:33:46.403Z"}, "references": [{"url": "https://support.zabbix.com/browse/ZBX-22989"}], "source": {"discovery": "UNKNOWN"}, "title": "Duktape 2.6 bug crashes JavaScript putting too many values in valstack.", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "https://support.zabbix.com/browse/ZBX-22989", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00000.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T21:47:55.154Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-22T16:19:37.201477Z", "id": "CVE-2023-29458", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-22T16:22:56.866Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://support.zabbix.com/browse/ZBX-22989", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00000.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T21:47:55.154Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-29458", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-22T16:19:37.201477Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-22T16:22:02.437Z"}}], "cna": {"title": "Duktape 2.6 bug crashes JavaScript putting too many values in valstack.", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "nepalihacker0x01"}], "impacts": [{"capecId": "CAPEC-125", "descriptions": [{"lang": "en", "value": "CAPEC-125 Flooding"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://git.zabbix.com/", "vendor": "Zabbix", "modules": ["Proxy", "Server"], "product": "Zabbix", "versions": [{"status": "affected", "changes": [{"at": "5.0.35rc1", "status": "unaffected"}], "version": "5,0,0", "versionType": "git", "lessThanOrEqual": "5.0.34"}, {"status": "affected", "changes": [{"at": "6.0.18rc1", "status": "unaffected"}], "version": "6,0,0", "versionType": "git", "lessThanOrEqual": "6.0.17"}, {"status": "affected", "changes": [{"at": "6.4.3rc1", "status": "unaffected"}], "version": "6.4.0", "versionType": "git", "lessThanOrEqual": "6.4.2"}, {"status": "affected", "changes": [{"at": "7.0.0alpha1", "status": "unaffected"}], "version": "7.0.0alpha1", "versionType": "git", "lessThanOrEqual": "7.0.0alpha1 "}], "defaultStatus": "affected"}], "datePublic": "2023-06-16T11:16:00.000Z", "references": [{"url": "https://support.zabbix.com/browse/ZBX-22989"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Duktape is an 3rd-party embeddable JavaScript engine, with a focus on portability and compact footprint. When adding too many values in valstack JavaScript will crash. This issue occurs due to bug in Duktape 2.6 which is an 3rd-party solution that we use.", "supportingMedia": [{"type": "text/html", "value": "Duktape is an 3rd-party embeddable JavaScript engine, with a focus on portability and compact footprint. When adding too many values in valstack JavaScript will crash. This issue occurs due to bug in Duktape 2.6 which is an 3rd-party solution that we use.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-129", "description": "CWE-129 Improper Validation of Array Index"}]}], "providerMetadata": {"orgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8", "shortName": "Zabbix", "dateUpdated": "2023-07-13T09:33:46.403Z"}}}, "cveMetadata": {"cveId": "CVE-2023-29458", "state": "PUBLISHED", "dateUpdated": "2025-11-03T21:47:55.154Z", "dateReserved": "2023-04-06T18:04:44.892Z", "assignerOrgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8", "datePublished": "2023-07-13T09:33:46.403Z", "assignerShortName": "Zabbix"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zabbix:zabbix:5.0.34:*:*:*:*:*:*:*", "matchCriteriaId": "21E9CA91-6BA2-4046-A81B-56203307F325", "vulnerable": true}, {"criteria": "cpe:2.3:a:zabbix:zabbix:6.0.17:*:*:*:*:*:*:*", "matchCriteriaId": "F6C005FB-B627-4C3B-8873-4ECF4A3696CD", "vulnerable": true}, {"criteria": "cpe:2.3:a:zabbix:zabbix:6.4.2:*:*:*:*:*:*:*", "matchCriteriaId": "2FECE71F-56F9-4E90-99EC-DBDCFE5AC605", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Duktape is an 3rd-party embeddable JavaScript engine, with a focus on portability and compact footprint. When adding too many values in valstack JavaScript will crash. This issue occurs due to bug in Duktape 2.6 which is an 3rd-party solution that we use."}], "id": "CVE-2023-29458", "lastModified": "2025-11-03T22:16:07.523", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 4.2, "source": "security@zabbix.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-07-13T10:15:09.573", "references": [{"source": "security@zabbix.com", "tags": ["Third Party Advisory"], "url": "https://support.zabbix.com/browse/ZBX-22989"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00000.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://support.zabbix.com/browse/ZBX-22989"}], "sourceIdentifier": "security@zabbix.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-129"}], "source": "security@zabbix.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-129"}], "source": "nvd@nist.gov", "type": "Primary"}]}